Merge pull request #831 from AFLplusplus/dev

Push to stable
author: van Hauser <vh@thc.org> 2021-03-19 19:04:59 +0100
committer: GitHub <noreply@github.com> 2021-03-19 19:04:59 +0100
commit: e98cd008222aa3bfea9b696ad756163302437eb3 (patch)
tree: 56cce5a15206634bd1877c428a5b15c064d7fa53 /qemu_mode/libqasan/malloc.c
parent: 23f7bee81c46ad4f0f65fa56d08064ab5f1e2e6f (diff)
parent: 2102264acf5c271b7560a82771b3af8136af9354 (diff)
download: afl++-e98cd008222aa3bfea9b696ad756163302437eb3.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c
index 5a2d2a0c..6fe6fc8c 100644
--- a/qemu_mode/libqasan/malloc.c
+++ b/qemu_mode/libqasan/malloc.c
@@ -159,6 +159,9 @@ size_t __libqasan_malloc_usable_size(void *ptr) {
   char *p = ptr;
   p -= sizeof(struct chunk_begin);
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   return ((struct chunk_begin *)p)->requested_size;
 
 }
@@ -225,6 +228,9 @@ void __libqasan_free(void *ptr) {
   struct chunk_begin *p = ptr;
   p -= 1;
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   size_t n = p->requested_size;
 
   QASAN_STORE(ptr, n);
author	van Hauser <vh@thc.org>	2021-03-19 19:04:59 +0100
committer	GitHub <noreply@github.com>	2021-03-19 19:04:59 +0100
commit	e98cd008222aa3bfea9b696ad756163302437eb3 (patch)
tree	56cce5a15206634bd1877c428a5b15c064d7fa53 /qemu_mode/libqasan/malloc.c
parent	23f7bee81c46ad4f0f65fa56d08064ab5f1e2e6f (diff)
parent	2102264acf5c271b7560a82771b3af8136af9354 (diff)
download	afl++-e98cd008222aa3bfea9b696ad756163302437eb3.tar.gz